CMMC Compliance Reference

The Cybersecurity Maturity Model Certification (CMMC) framework governs cybersecurity requirements for contractors and subcontractors operating within the US Department of Defense (DoD) supply chain. This page covers the framework's structure, certification levels, applicable regulatory instruments, and the decision boundaries that determine which organizations must comply. It serves as a reference for defense contractors, compliance professionals, and researchers navigating this sector.

Definition and scope

CMMC is a DoD-administered certification framework designed to verify that defense contractors adequately protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) held in contractor systems. The framework is codified in 32 CFR Part 170, with the final rule published by the DoD in October 2024 establishing CMMC 2.0 as the operative version.

The scope of CMMC extends across the entire Defense Industrial Base (DIB), which the DoD estimates includes approximately 300,000 companies (DoD CMMC Program Office). Any organization that processes, stores, or transmits FCI or CUI in performance of a DoD contract is subject to the framework's requirements. This includes prime contractors and all lower-tier subcontractors handling covered information — a reach that distinguishes CMMC from frameworks with narrower applicability.

CMMC draws its technical controls primarily from two existing standards: NIST SP 800-171, which defines 110 security requirements for protecting CUI in non-federal systems, and NIST SP 800-172, which adds enhanced requirements for higher-risk environments. CMMC does not introduce an entirely new control set — it establishes a verification mechanism on top of existing NIST-based requirements.

The Digital Security Listings on this platform include providers operating in the CMMC assessment and advisory sector.

How it works

CMMC 2.0 organizes compliance into three certification levels, each mapped to a progressively demanding set of controls and a distinct verification method:

  1. Level 1 — Foundational: Applies to contractors handling FCI only. Requires implementation of 17 basic safeguarding practices derived from FAR Clause 52.204-21. Verified through annual self-assessment with senior official affirmation.

  2. Level 2 — Advanced: Applies to contractors handling CUI. Requires implementation of all 110 security requirements from NIST SP 800-171. Verification is split: contractors with prioritized acquisition programs must obtain a triennial third-party assessment from a CMMC Third-Party Assessment Organization (C3PAO); others may use annual self-assessment with affirmation, depending on contract designation.

  3. Level 3 — Expert: Applies to contractors supporting the DoD's highest-priority programs. Requires implementation of NIST SP 800-172 enhanced requirements in addition to all Level 2 controls. Assessed by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

The CMMC Accreditation Body (now operating as the Cyber AB) accredits C3PAOs and certifies individual assessors — Certified CMMC Assessors (CCAs) and Certified CMMC Professionals (CCPs) — who conduct third-party assessments at Level 2 and coordinate with DIBCAC at Level 3.

Assessment results for Level 2 and Level 3 are entered into the Supplier Performance Risk System (SPRS), the DoD's platform for recording contractor cybersecurity posture scores. Prior to CMMC's phased implementation, contractors were already required to self-score NIST SP 800-171 compliance and upload results to SPRS under DFARS Clause 252.204-7019.

Common scenarios

Defense prime contractor with CUI obligations: A large defense manufacturer holding contracts that require access to CUI in contractor systems must achieve Level 2 certification. If the contract is designated as a prioritized acquisition, a C3PAO must conduct the assessment — self-assessment is not an option. The contractor must document a System Security Plan (SSP) covering all CUI-scoped environments.

Small subcontractor in the supply chain: A small machine shop subcontracting to a prime handles only FCI — part specifications with no CUI designation. Level 1 applies, and the subcontractor performs and documents an annual self-assessment against the 17 FAR-based practices. The assessment is affirmed by a senior company official in SPRS.

Contractor seeking CMMC 2.0 gap analysis: Before formal assessment, contractors commonly engage a CCP to identify gaps between current NIST SP 800-171 implementation and required practices. This pre-assessment review is distinct from formal certification and does not produce an official SPRS score.

Research institution with DoD grants: Academic and research entities receiving DoD contracts — not grants — that involve CUI are subject to CMMC requirements under 32 CFR Part 170. Grant recipients are governed by a separate framework under the National Archives and Records Administration's CUI Registry.

Decision boundaries

CMMC applicability hinges on two threshold questions: whether a contract involves FCI or CUI, and whether that information is processed in contractor-owned systems. Organizations whose DoD contracts involve only commercial-off-the-shelf (COTS) items are explicitly excluded under 32 CFR Part 170.

The distinction between Level 1 and Level 2 turns entirely on whether CUI — as defined in the CUI Registry maintained by the National Archives — is present in scope systems. FCI alone triggers Level 1; any CUI triggers at minimum Level 2.

CMMC should not be conflated with FedRAMP, which governs cloud service providers offering services to federal agencies under the FedRAMP Authorization Act. A cloud service provider used by a defense contractor to store CUI must hold FedRAMP Moderate authorization or equivalent under DFARS 252.239-7010 — this is a parallel obligation, not a substitute for CMMC.

CMMC also differs from the NIST Cybersecurity Framework (CSF), which is a voluntary risk management framework without a formal certification process or contract enforcement mechanism. CMMC is a contractual requirement enforced through acquisition regulations, making non-compliance a basis for contract ineligibility rather than a regulatory fine.

The Digital Security Authority's purpose and scope covers how this directory structures its cybersecurity sector coverage, including CMMC-relevant service categories. Additional context on navigating provider categories is available in How to Use This Digital Security Resource.

References

📜 1 regulatory citation referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Read Next

Digital Security Listings Coverage spans the full range of service categories recognized under the NIST Cybersecurity Framework — from managed detection... Digital Security Directory: Purpose and Scope This page defines the directory's inclusion criteria, classification logic, geographic scope, and navigation structure. How to Use This Digital Security Resource This page describes how the directory is organized, how content is classified and verified, and how different professional...